Security experts stress urgency of patching Windows XML flaw

Happy Patch Tuesday! Microsoft is kicking off the year with seven new security bulletins. There are five rated as Important, and two rated as Critical—but one in particular that has security experts concerned.

Andrew Storms, director of security operations for nCircle, stresses that MS13-002 will be a popular target for attackers and should be the top priority. “If you can’t do anything else right away, at least patch this one post haste. This critical XML bug affects every version of Windows in one way or another because XML is used by a wide range of operating system components.”

Attackers may quickly prey on flaws in XML in Windows.

Tyler Reguly, technical manager of security research and development at nCircle agrees. “If you have to apply only one patch, pick this one and pay close attention to the number of products affected.”

Of course, the XML flaw is only one of the Critical security bulletins this month. The other one is MS13-001, which deals with a flaw in the print spooler service on Windows 7 and Windows Server 2008.

Ross Barrett, senior manager of security engineering for Rapid7, explains, “It is an interesting defect in that an attacker could queue malicious print job headers to exploit clients which connect.”

Barrett points out, however, that no organization should have a print spooler accessible outside the firewall, so remote exploit should be non-existent. He adds, though, that there is nothing to prevent an inside or local exploit, and that an attacker who has compromised a system through other means might be able to use this vulnerability from the inside.

One other area of concern, though, is the fact that there is a zero day vulnerability being exploited on Internet Explorer 6, 7, and 8 that is not addressed in this Patch Tuesday release. Microsoft has provided a Fix-It tool that guards against the known attacks in the wild, as well as the Metasploit exploit module. However, Exodus Intelligence discovered that there are other ways to trigger the vulnerability that are not addressed by the Fix-It tool.

Notably missing from Patch Tuesday is a fix for the IE zero day.

Wolfgang Kandek, CTO of Qualys, urges IT admins to apply the Fix-It since it at least addresses the known attacks, but cautions them to also beware of the ongoing active threat. “IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8.”

VMware’s Research Development Manager, Jason Miller, suggests that IT admins make sure antimalware protection is kept up to date to guard against new attacks. He also points out that IE9 and IE10 are not affected and that one solution would be to simply upgrade to a newer version of the browser. Of course, that won’t work for users still on Windows XP or older versions.

Storms expects Microsoft to release an out-of-band patch within the next couple weeks to address the IE zero day.

Tony Bradley

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.More by Tony Bradley